A business owner somewhere in Chiang Mai is telling anyone who will listen that they pulled their site off WordPress last month and rebuilt it using AI. The build took a weekend. The cost was minimal. The announcement lands with the energy of someone who has discovered something the professionals did not want them to know.
They are not wrong about the speed. They are wrong about what comes next.
Vibe coding, a term coined by former OpenAI researcher Andrej Karpathy in early 2025 to describe building software entirely through natural language prompts without reviewing the underlying code, went from weekend curiosity to business trend in under a year. Collins Dictionary named it Word of the Year for 2025. Sixty-three percent of the people now using these tools are not developers at all. The tools have improved, the marketing is compelling, and the argument is simple: why pay someone to build a website when AI can do it faster and cheaper?
That argument collapses the moment the site needs to be run.
The CMS problem
A professionally built website typically runs on a content management system, or CMS. This is the backend layer that allows a business owner to add a page, update pricing, publish a post, or change opening hours without touching any code. WordPress is a CMS. So are many of its alternatives. The separation between content and code is not a cosmetic feature. It is the mechanism by which a non-technical person operates a technical asset.
AI-built sites assembled through vibe coding tools typically have no such layer. The site is the code. To change the site, you change the code, which means returning to the AI tool, re-prompting, reviewing the output, testing the result, and repeating the cycle until the output is correct. For a business that updates its site regularly, that cycle accumulates across every single task.
A GitClear analysis found that AI-generated code produced a four-fold increase in code duplication and a near doubling of code churn, meaning code that is quickly rewritten or discarded. The initial saving disappears. The person absorbing the maintenance cost is usually the owner, spending hours on a task a contractor would have handled in minutes.
The compounding effect is worse. Each modification risks introducing new problems into code the owner cannot audit. A University of San Francisco study found that after five rounds of AI refinement, critical vulnerabilities increased by 37 percent, not decreased. Prompting AI to fix its own mistakes does not reliably produce better code. It produces more code.
The security problem
This is where the conversation shifts from inconvenient to serious.
A landmark Veracode study analysed over 100 large language models across 80 coding tasks and found that 45 percent of AI-generated code introduces security vulnerabilities, including critical flaws on the OWASP Top 10 list of the most dangerous web application security risks.
The reason is structural. Palo Alto Networks’ Unit 42 calls it context blindness: AI evaluates functions in isolation, missing system-wide architectural vulnerabilities such as missing rate limits or poor token management. Generative models optimise for plausible-looking output, not secure architecture.
The consequences are not theoretical. In March 2025, a security researcher testing a LinkedIn profile generator built with vibe coding platform Lovable found that removing a single authorisation header gave full access to the entire user database. A subsequent scan of 1,645 Lovable-built applications found that 170 of them, one in ten, had critical security flaws exposing 303 vulnerable endpoints. The leaked data included full names, email addresses, phone numbers, home addresses, and API keys. A separate first-quarter 2026 assessment of more than 200 vibe-coded applications found that 91.5 percent contained at least one vulnerability traceable to an AI hallucination.
Lovable’s platform at the time was used by employees at Microsoft, Nvidia, Uber, Zendesk, and Deutsche Telekom. The flaw was not obscure. It was the default.
The liability problem
The security exposure is material for any business that collects customer data, processes payments, or operates in a regulated sector. That list covers most established businesses.
Consider the range: legal practices, insurance brokers, medical clinics, financial advisers, lenders, educational institutions, hospitality businesses with booking systems, and any business holding customer data subject to data protection obligations. In Thailand, the Personal Data Protection Act carries penalties for breaches regardless of how the vulnerability was introduced. The liability attaches to the operator, not the tool.
Breaches involving AI-generated code now cost between four and nine million dollars per incident at enterprise scale, with unpatched flaws producing an estimated half a million dollars per month in compliance penalties. Those are large-company figures. For a small business, the exposure is proportionally smaller. The mechanism is identical: a vulnerability the owner cannot see, in code the owner does not understand, on a site the owner believes is working correctly.
The performance problem
Beyond security, discoverability matters to any business that relies on its website to generate enquiries.
Professional developers design websites with SEO in mind from the start, ensuring proper heading structures, clean code, optimised images, and fast loading speeds. In 2025, discoverability also means performance in AI-driven search tools such as ChatGPT and Perplexity, which rely on structured, trustworthy content to surface recommendations. A site built without considering these factors does not appear in those results.
An AI tool asked to build a high-performing site produces something that resembles one. Whether it actually performs is answered by auditing the output, not trusting the prompt. Developer trust in AI code accuracy dropped from roughly 40 percent in 2024 to just 29 percent in 2025, even as usage continued to climb. The people closest to the tools are the most sceptical of what the tools produce unsupervised.
The opportunity cost problem
The financial argument for vibe coding rests on a comparison of build costs. The professional site costs more to set up. The AI site costs less. That comparison ignores ongoing management, risk exposure, and what the owner is not doing while maintaining the site themselves.
Every hour spent re-prompting an AI tool to modify a website is an hour not spent on client work, business development, or the activities that justify the owner’s position in their own business. For any founder or professional whose time has a clear market value, the calculation runs in the wrong direction almost immediately.
The brag is that the site was built in a weekend for almost nothing. The reality, visible several months later, is that the same owner is spending disproportionate time on a task that was supposed to have been permanently solved.
What this means for Chiang Mai businesses
The wave is still early. The tools will continue to improve, and there are genuine use cases where AI-assisted builds make sense. A solopreneur validating an idea on a tight budget is a different situation from an established business migrating its primary commercial asset on the basis of a trend.
For established Chiang Mai businesses considering the move: the speed is real, the initial cost is lower, and neither fact changes the underlying logic. A website is a commercial asset. Commercial assets require professional management, proper structure, and ongoing accountability. The tools that assembled the asset over a weekend are not equipped to protect it, optimise it, or repair it when something breaks.
The cleanup work is already forming. The businesses that avoid it are the ones that treated AI as a capable tool within a professionally managed framework, rather than a replacement for one.
CMBN provides digital audits covering SEO, schema, security posture, and search visibility for businesses across Chiang Mai. Contact the team to find out where your site actually stands.
